JP2017143578A - Path scanning for detection of anomalous subgraph and use of dns request and host agent for anomaly/change detection and network situational awareness - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a system, apparatus, computer-readable medium, and computer-implemented method, for detecting an anomalous behavior in a network.SOLUTION: Historical parameters of a network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network. Each computing system in the network may be a node in the graph, and the sequence of connections between two computing systems may be a directed edge in the network. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect an anomalous behavior. Data collected by a Unified Host Collection Agent (UHCA) may also be used to detect an anomalous behavior.SELECTED DRAWING: Figure 4

Description

  The present invention generally relates to the detection of network intrusion, anomalies and policy violations, and more particularly, by path scanning to detect anomalous subgraphs embedded in a time evolving graph. , Network intrusion, anomaly and policy violation detection, computer network status recognition and the use of domain name service (DNS) for anomaly / change detection.

  In connection with the present invention, the US Government has the rights under the contract DE-AC52-06NA25396 between the US Energy Agency and Los Alamos National Security, LLC for the operation of the Los Alamos National Laboratory.

  This application claims the priority of US Provisional Patent Application No. 61 / 614,148, filed March 22, 2012. The contents of this previously filed provisional patent application are hereby incorporated by reference in their entirety.

  Modern computer hacking is a serious threat to companies, government agencies and other organizations. In general, hackers penetrate the system by automated means. For example, if a hacker sends a phishing email to an institution and a user clicks a link, the malware compromises the machine. This gives the hacker control of the machine at risk, and thus provides a foothold in the network where the machine at risk exists.

  Hackers cannot choose which machines are at risk and where they land in the net. Hackers usually go from the initial point where the network is compromised and look for another host to use. In general, since a single user cannot access the entire network, hackers need to traverse multiple machines to fully compromise the network. Hackers often use compromised accounts to find and access machines with multiple users and then enter the network.

  Conventional methods of detecting malicious insiders in a computer network generally cannot supplement the “traversal well”. Passage occurs when hackers navigate the network, infiltrate the system, and endanger other hosts using the compromised system. Although host-based detection systems that monitor specific machines have been completed to some extent and intrusion detection using firewalls has been well studied, it is generally sufficient to inspect multiple hops in the security perimeter and simultaneously look for anomalies. Not pioneered. In addition, network traffic monitoring is typically performed using sophisticated systems such as network interception, router mirror ports, and router-based flow observation. This method is expensive and cannot completely include traffic in the network.

  Certain embodiments of the present invention can provide a solution to the problems and desires in the present technology that are not fully identified, understood or resolved by current intrusion, anomaly, and policy violation detection techniques. For example, some embodiments of the present invention use exploration statistics to detect local anomaly subgraphs using DNS requests that can be used to infer intra-network communication patterns. Some embodiments of the present invention can be applied to any type of graph with time series data on each edge. Dynamic social network analysis (eg Twitter®, Facebook®, email network, etc.) may follow this type of analysis, or other appropriate graph structure as seen in biology. There may be. Thus, some embodiments of the present invention may have applications outside cyber security.

  In one embodiment, the computer-implemented method is based on the historical parameters (historical) of the basic statistical model of each “edge” (ie, the pair of communicating machines) on the network to determine normal activity levels. determining a parameter). The computer-implemented method also includes the step of enumerating multiple paths in the network as part of a graph representing the network, each computing system in the network being a node in the graph, A series of connections between computing systems may be directed edges in the graph. The method includes applying these basic or statistical models to a path formed from the edges of the graph under sliding window-based observation, detecting abnormal behavior based on the applied statistical models, and Is further included.

  In another embodiment, the apparatus includes at least one processor and a memory including instructions. This instruction, when executed on at least one processor, is configured to cause at least one processor to determine a past parameter of the network to determine a normal activity level. The instructions are also configured to cause at least one processor to enumerate multiple paths in the network as part of a graph representing the network, each computing system in the network being a node in the graph, and two A series of connections between computing systems may be directed edges in the graph. The instructions are further configured to apply the statistical model to the sliding window based graph to the at least one processor and detect anomalous behavior based on the applied statistical model.

  In another embodiment, the system includes a memory that stores computer program instructions configured to detect abnormal behavior in the network, and a plurality of computers configured to execute the stored computer program instructions. Processing core. The plurality of processing cores are configured to determine a past parameter of the network to determine a normal activity level. The multiple processing cores are also configured to enumerate multiple paths in the network as part of a graph representing the network, each computing system in the network may be a node in the graph, and two computing systems The series of connections between may be directed edges in the graph. The plurality of processing cores are further configured to apply a statistical model to the sliding window based graph and detect anomalous behavior based on the applied statistical model.

  In another embodiment, the computer-implemented method includes the step of the computing system collecting data from a plurality of host agents belonging to network communications transmitted and received by corresponding hosts in the network. The computer-implemented method also includes a step in which the computing system analyzes the collected data to detect abnormal behavior during a predetermined period, and when abnormal behavior is detected, the abnormal behavior is detected for a predetermined period. Providing an indication that the event occurred.

  For a proper understanding of the present invention, reference should be made to the accompanying drawings. These drawings depict only some embodiments of the invention and are not intended to limit the scope of the invention.

It is a figure which shows the common initial stage of the attack by the hacker. It is a figure which shows the 2nd step of the attack by a hacker. It is a figure which shows the 4th step of the attack by a hacker. 1 illustrates a system for detecting intrusions, anomalies and policy violations according to an embodiment of the present invention. FIG. It is a figure which shows an outward star. 4 is a flowchart illustrating a method for detecting abnormal behavior on a network according to an embodiment of the present invention. FIG. 4 is a road diagram showing a road generated using only name edges according to an embodiment of the present invention. FIG. 4 is a road diagram showing a road generated using only IP edges according to an embodiment of the present invention. FIG. 4 is a road diagram showing a path starting with three name edges and ending with an IP edge, according to an embodiment of the present invention. FIG. 6 is a road diagram showing a road having alternating name sides and IP sides according to an embodiment of the present invention. 4 is a flowchart of a method for collecting data belonging to an abnormality using UHCA according to an embodiment of the present invention.

  Some embodiments of the present invention are a series of interconnected computing systems that inspect roads through a network and the roads are connected to each other. In the graph, “node” represents a computing system and “edge” represents a series of connections between two computing systems. Examination of the road over time has been found to successfully detect anomalous actors performing traversal missions in some examples. In general, a probability model is created for each edge in the network. For the parameters estimated in a given window of time under consideration, a statistical test is performed on the model's past parameters. Deviations by a certain threshold from past parameters adjusted according to the alarm rate specified by the user may indicate an unusual path.

  Some embodiments detect anomalous behavior in edge sets joined together in k-paths. For k cascades, the end of the first side is the source of the second side, the end of the second side is the start of the third side, and so on. There may be a series of directed edges in the graph that are k. Data is associated with each side. In some embodiments, this data may be the number of connections between hosts on the computer network per unit time. List all k cascades (for a fixed number k) and examine the data using a sliding window of time. In order to build an established model for each road and determine the level of anomaly, the past parameters may be compared with the current estimated parameters within a time window.

  Identifying anomalies in a computer network is generally a difficult and complex problem. Anomalies often occur in a very local area of the net. Locality can be complex in this setting because of the underlying graph structure. To identify local anomalies, exploration statistics may be used on data extracted from graph edges over time. In order to capture locality in the graph, two shapes are particularly advantageous: a star and the above-described k cascade. The use of roads as exploration windows is new. Both of these shapes are motivated by hacker behaviors observed in real web attacks.

  These shapes may be listed across all graphs using a set of sliding time windows to identify local anomalies. To capture anomalies, local statistics at each window may be compared with past behavior. These local statistics may be model-based, and to help illustrate an example exploration procedure, two examples used by some embodiments of the present invention motivated by network flow data are used as examples. The model is described here. Large network data rates generally require rapid online detection. It is therefore desirable for an anomaly detection system to achieve real-time analysis speed.

  Once an attacker enters the network, attacker detection is generally a high-priority item in cybersecurity for countries and many agencies. It is difficult, if not impossible, to keep all attackers out of the net. Of the net attacks, the passage through the network is very common, and the core of many large-scale missions that attackers want to achieve, especially those where attackers work on behalf of the nation-state. It is a requirement. Some embodiments of the present invention promise to detect passage and have adjustable false positive parameters available to the system operator. In addition, some embodiments are designed to be performed in real time and provide rapid detection when an attack occurs. Another core part of some embodiments of the present invention is a collection of forensic tools that allow the analyst to fully discover an attacker's passage and identify a compromised host.

  Some embodiments of the present invention, in addition to detecting anomalous paths, observe DNS requests that are precursors to network traffic and infer subsequent network traffic from these requests. This inferred traffic is then used as a reliable data source for network anomaly / change detection tools, including network reconnaissance, network status recognition, and subgraph detection tools described with respect to some embodiments of the present invention. be able to. In many agencies, one or two aggregation points handle all DNS requests. As a result, the data supply is generally smaller than data obtained from other common network aggregation mechanisms such as routers or network interception aggregation mechanisms and is easier to capture. In addition, DNS generally handles connection level traffic more completely because alternatives to intercepting each router are prohibitively expensive and router interception is generally subject to overcrowding-based sampling. Even traffic within a subnetwork that is not visible by routers or intercepts can often be inferred from DNS requests. This can be important in terms of anomaly detection since it is not uncommon for hackers to stay in the subnetwork.

  For clarity, an anomaly scenario of an attack by a hacker that can be detected by some embodiments of the present invention is described. FIG. 1A shows a common initial stage 100 of a hacker attack. A hacker can accomplish an initial attack by using malicious software to compromise the machine 102 on the network. The endangered machine 102 is connected to an auxiliary machine 104 that is not connected to the passage path. These machines are not necessarily clean, but in this example are not used for subsequent passes. One way to first put the network at risk is called a phishing attack, where an email containing a link to a malicious website is sent to a set of users on the network. When a user clicks on a link, the user's computing system is compromised, giving the attacker some form of access to the user's computing system.

  Attackers generally cannot tell which computing systems are compromised, and even if there is a final goal, the initial host is not the final goal of a normal attack. Instead, hackers search for and extract valuable data, expand privileges, and / or promote extensive use in the network for later use and / or resistance when faced with defense measures taken by network operators. You might want to move to another computing system to establish a strong presence. Therefore, the attacker can proceed from this initial host to another host while hopping one by one. FIG. 1B shows the second stage 110 of the attack by the hacker. Here, the second computing system 102 is at risk, and the compromised computing system 102 is connected by one edge 112. FIG. 1C shows a fourth stage 120 of an attack by a hacker, where four computing systems 102 are compromised and the compromised computing systems 102 are connected by way 122.

  While passing through the network, the attacker performs abnormal behavior in the time series of communication along each passing edge. This means that additional communication is generally seen on the communication level that was normal in the past for each side. In some embodiments of the present invention, these abnormal edge unions are detected at certain time intervals, which represent an intrusion into the system.

  FIG. 2 illustrates a computing system or “system” 200 for detecting intrusions, anomalies and policy violations according to an embodiment of the present invention. System 200 includes a bus 205 or other communication mechanism for transmitting information, and a processor 210 coupled to bus 205 for processing information. The processor 210 may be any type of general purpose or special purpose processor, including a central processing unit (CPU) or an application specific integrated circuit (ASIC). The processor 210 may also have multiple processing cores, and at least some of the cores may be configured to perform specific functions. Some embodiments may use a multi-core, single-machine scheme called symmetric multiprocessing (SMP). Other embodiments may be implemented across multiple machines, and each machine may have multiple cores. This method is called a message passing interface (MPI). System 200 further includes a memory 215 that stores information and instructions for execution by processor 210. Memory 215 may be any of random access memory (RAM), read only memory (ROM), flash memory, cache, static storage such as a magnetic disk or optical disk, or any other type of non-transitory computer readable medium. It may consist of a combination of In addition, the system 200 includes a communication device 220 such as a wireless network interface that provides connection to the network.

  Non-transitory computer readable media can be any available media that can be utilized by processor 210 and can include both volatile and nonvolatile media, removable and non-removable media, and communication media. Good. Communication media may include computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.

  The processor 210 is further coupled via a bus 205 to a display device 225 that displays information to the user, such as a liquid crystal display (LCD). A cursor controller 235 such as a keyboard 230 and a computer mouse is further coupled to the bus 205 so that the user can interact with the system 200.

  In one embodiment, memory 215 stores software modules that provide functionality when executed by processor 210. This module includes the operating system 240 of the system 200. The module further includes a detection module 245 configured to detect intrusions, anomalies and policy violations. The system 200 may include one or more additional function modules 250 that include additional functions.

  One skilled in the art will appreciate that a “system” can be implemented as a personal computer, server, console, personal digital assistant (PDA), mobile phone, any other suitable computing device, or combination of devices. Having stated that the above functions are performed by a “system” does not limit the scope of the present invention in any way, but provides an example of many embodiments of the present invention. Indeed, the methods, systems and devices disclosed herein can be implemented in localized and distributed forms consistent with computational techniques.

  It should be noted that some of the features of the system described herein are represented as modules to more particularly emphasize their implementation independence. For example, the module may be implemented with a custom-built very large scale integrated circuit (VLSI) or a commercially available semiconductor such as a gate array, logic chip, transistor, or discrete component. Modules may also be implemented with programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, graphics processing units, and the like.

  A module may also be implemented, at least in part, in software executed by various types of processors. The identified unit of executable code may comprise, for example, one or more physical or logical blocks of computer instructions, which are organized as objects, procedures or functions, for example. Nonetheless, the executable code of the identified modules need not be physically located together, but are dissimilar instructions stored in different locations, and will perform the module when logically combined together. , To achieve the purpose of the module described above. In addition, a module can be, for example, a hardware disk drive, flash device, RAM, tape, or any other medium used to store data.

  In fact, a module of executable code may be a single instruction or a number of instructions, distributed across several different code segments of separate programs that span several memory devices. Also good. Similarly, operational data is identified and shown here in modules, implemented in any suitable form, and may be organized in any suitable type of data structure. Operational data may be aggregated as a single data set, distributed across separate locations, including separate storage devices, or at least partially present as simple electronic signals on the system or network May be.

  When hackers enter the net, road and star anomalies are observed. Star anomalies connect to other computing systems accessible to hackers using compromised computing systems and generate anomalies on multiple sides that diverge from the compromised host.

  A road anomaly may indicate a more sophisticated attack, which is a series of passes from each host in the road to the next. The caterpillar anomaly is a mixture of stars and roads. This method is designed to monitor the computer network in real time, and any method applied to computer network data at the enterprise level (more than 20,000 individual Internet Protocol (IP) addresses) must be fast. . Also, to identify very local anomalies, the system generally needs to monitor many small windows simultaneously. Some embodiments of the present invention can examine a large number of local objects in an enterprise-wide network in real time.

  Windows in outer space

だけが一般に重要である。したがって，一般に注意は窓の集合γ∈Γ_ｘに制約される。Γ_ｘは通常問題依存である。便宜上，Ｘ（γ）はγで与えられる窓におけるデータとして表される。 It is useful to examine a window in the time x graph product space. These window sets may be defined such that a graph G = (V, E) including a node set V and an edge set E exists. For each edge eεE, there is a data process X _e (t) at discrete points in time tε {1,..., T}. In the discretized time interval (s, s + 1,..., K), the time window set on the edge e is Ω = {[e, (s, s + 1,..., K)]: e∈E, 0 ≦ s ≦ k ≦ T}. The set of all subsets of the window, Γ = {{w ₁ , w ₂ ,...}: W _j ∈Ω} is usually very large and includes a locality constraint in time and graph space

Only is generally important. Thus, attention is generally constrained to the set of windows γ∈Γ _x . Γ _x is usually problem dependent. For convenience, X (γ) is represented as data in a window given by γ.

For any instant t and edge e, it may be assumed that X _e (t) can be described as an establishment process with a parameter function given by θ _e (t). The value of the parameter function can be evaluated by θ (γ) in the corresponding set of windows γ. Finally, the likelihood of the establishment process can be expressed as L (θ (γ) | X (γ)) for γ.

  Exploration statistics for windows in time x graph space

によって生成されたか否かを知ることは有益である。すなわち，Ｘ（γ）＝ｘ（γ）が観測されたとすると，全パラメータ空間Θを部分集合

に制限することによって形成できる代替物に対して，

を検定することは有益である。一般化尤度比検定（ＧＬＲＴ）統計量は利用できるもっともな統計量である。ここで，

とする。 For alternatives where the data in the window indicates that the parameter has changed, a known parameter function

It is useful to know if it was generated by That is, if X (γ) = x (γ) is observed, the entire parameter space Θ is a subset

For alternatives that can be formed by restricting to

It is useful to test The generalized likelihood ratio test (GLRT) statistic is the best statistic available. here,

And

The size of λ _γ depends on the number of parameters tested in the window and is difficult to use directly. To solve this problem, it normalizes the lambda _gamma by converting the lambda _gamma to a p-value p _gamma.

In order to search for anomalies in the (time × graph) product space, it is generally necessary to slide over all windows _γ and record the search statistics φ = min _γ p _γ . In practice, it is generally necessary to perform threshold processing on a set of p values so that a minimum p value or more is generally considered. For online monitoring, a threshold can be set for the p-value to control the false discovery rate. The higher the threshold, the more abnormalities that are identified, but the more false positives. In general, it should be set so that the analyst who runs the monitoring software is not overwhelmed. In general, when detection occurs, the set of windows (not only one) exceeds a threshold, and the combination of these windows is a detected anomaly generated by the system.

  Local shape: star and directed k cascade

The scheme described above can be used for batch (retrospective) processing or online (expected) processing. However, the graph is essentially generally combinatorial. For a fully connected graph with n nodes, the number of subgraphs is ^{2n (n-1)} . In practical applications, especially in an online environment, it is advantageous to use a limited set of graph windows for such a large number of subgraphs. Windows are created as appropriate to identify the shape of a particular anomaly.

  Directed k cascade

  One common intrusion example is due to the passage of hackers in a computer network, and a particular type of subgraph for online monitoring, namely a directed k cascade, is particularly advantageous. A directed k cascade is a subgraph of size k with diameter k. Here, size is the number of edges in the graph and diameter is the maximum hop distance between any pair of nodes. This means that the k cascade is a sequence of edges, the end node of the current side of the sequence is the start node of the next next sequence, and so on.

  Since the attack is explained by a path through the network, the k cascade has the advantage that it captures the core of many network attacks by adding an additional side “fuzz” around the core path. This attack shape was observed in actual attacks. In addition, the k cascade is very local, allowing detection above small.

  In some embodiments, 3-paths are used. Three cascades have the advantage of locality and are large enough to capture significant passages at the same time. To explore all 3 cascades in the network graph, the paths are first listed. For many graphs this is not trivial. If a cycle and a back edge are removed from an n-node fully connected graph, there are n (n−1) (n−2) (n−3) three cascades.

  In practice, many network graphs are generally not connected. However, in a 30 second time window, including only edges with non-zero activity in the window, the exemplary embodiment includes approximately 17,000 nodes, 90,000 edges, and 300 million 3 cascades. A graph is obtained. Effectively exploring the entire set of n (n-1) (n-2) (n-3) potential three cascades, but for any road that includes an inactive edge in the current time window Anomalous measurements cannot generally be calculated. Because a hacker usually needs to make at least one communication in order to pass an edge, the absence of activity on an edge indicates that there was no passage on that edge, so the road containing that edge is ( It is not considered abnormal (in the time window of interest).

Since there are many 3 cascades, it is important to be able to quickly enumerate the roads to maintain near real-time response capability. The algorithm for enumerating k cascades is shown below. Parallel processing is possible by distributing the edges in the ENUMERATE for each loop to a message passing interface (MPI) based cluster. Each MPI node then recursively computes all the paths from the edge list starting from that edge. In this example, side A is a list of length 2, A [1] is the start node, and A [2] is the end node.
function ENUMERATE (E, K):
// E = list of edges representing the graph
// K = integer length of the enumeration path
for each edge A in E: // A is an edge in the graph
list P [l] = A // A is the first side in the road
RECURSE (E, P, 1, K) // recursively add additional edges

function RECURS E (E, P, L, K):
// E = list of edges representing the graph
// P = list of edges representing the road
// L = integer length of P
// K = integer length of the enumeration path
edge A = P [L] // A is the last edge in the road
for each edge B in E: // B is an edge in the graph
if A [2] = B [1] then:
P [L + 1] = B // B is the last side of the road
if L + 1 == K:
EMIT (P) // k cascade was found
else:
RECURSE (E, P, L + l, K) // Add additional edges recursively

  This algorithm uses almost no memory and can be easily parallelized. In some real-time simulations, a 30 minute window of approximately 300 million roads could be enumerated and tested in less than 5 seconds per window using a 48 core general purpose machine. This adds room to the model and adds room for dealing with larger graphs than are already being analyzed, while maintaining a real-time data stream.

  Star

  As shown in the out-star 300 of FIG. 3, the star is another interesting shape for monitoring the communications network. A star is defined as a set of edges whose starting point is a given central node. In FIG. 3, the central node 302 is connected to the outer node 304 by a directed side. These shapes are not very localized, especially for high-degree nodes, but still capture the star-shaped anomalies fairly well. Roads have the ability to describe finer anomalies than star windows, but star windows are generally better than roads for large star anomalies.

  Time interval

  The time component includes the same time interval for each edge in the graph window. This can detect anomalies that occur in the same time window for each side in the shape. More sophisticated options such as sequential time windows or telephoto time windows may be used to provide specific protocols such as Secure Shell (SSH).

  Edge data

  In general, it is more advantageous to model data with edge decomposition rather than shape γ resolution. Explain two models motivated by the distribution of edge data over time, including estimation, hypothesis testing, p-value calculation and thresholding.

  An IP address defines a node, and communication between IP addresses defines the existence of a directed edge between these nodes in the graph. There is a huge variety of edges in the network, and certain characteristics may represent the presence of human actors on the source machine.

  Often, the switching process is observed in computer network data. Intuitively, for many sides, this change occurs because there are people on the net. When a user is on a machine, the user causes a non-zero count on the edge emanating from the machine. However, at many moments, even if there is a user, the user may be communicating with some other machine or may not be using the network at all, so the user may be non-zero in this area. May not cause a count. It is only known that when the user is not there, he observes zero on this side. This presence / absence induces a switching process between a pure zero count issue and a higher activity count issue. Intuitively, the count is higher at noon than at night, but for simplicity of the model, a homogeneous model may be used in some embodiments.

  Independence of neighborhoods in Hokkaido

In order to explore anomalous shapes, it is generally necessary to have a model that describes the behavior of data in windows under normal conditions. The number of enumerated subgraphs tends to vary exponentially with the number of nodes, and assuming the independence of edges in the shape, the graph is processed at line speed under reasonable memory requirements This makes it easy to adjust the necessary calculations. This generally means that edge independence only requires a model for each edge (and storage of edge parameters), whereas non-independence is not in billions, but in hundreds of millions of shapes. This is because it requires a model. Assuming independence, the GLRT of the road is expressed by the following equation.

Here, λ _e represents the GLRT score of each side in the window γ.

  Observed Markov model (OMM)

Here will be described in two models first simplest of is 2 state OMM, represented by B _t. When there is a non-zero count in the time bin, B _t = 1, otherwise B _t = 0. This model two parameters p01 ₌ P _| having _{(B t = 0 B t =} 1). The likelihood is expressed by the following equation.

Here, n _ij is the number of times a continuous pair (b _i , b _j ) is observed in the data. It may be assumed that the initial state is fixed and known. This model captures burstiness but ignores the distribution of non-zero counts and does not allow 0 to occur in a high state. The maximum likelihood estimation of OMM is given by

  Hidden Markov Model (HMM)

  HMM solves the above-mentioned OMM problem. In some embodiments, a two-state HMM is used with a zero degenerate distribution for negative binomial emission densities in the low and high states. The binomial distribution density is not affected by the equal dispersion of the Poisson distribution, and there are valid reasons to use them to monitor network count anomalies. Other models generally do not allow high states to emit zero, but this model does. For example, the zero count is distributed with on-zero data, but may still still be part of the “active” state. Intuitively speaking, it is generally considered that the active state is not “the user is communicating in this area” but “the user is at the machine”, and therefore the possibility of communication is high.

The observed count O _t follows the “hidden” two-state HMM Q _t . The transition parameters are given by p ₀₁ = P (Q _t = 1 | Q _t -1 = 0) and p ₁₀ = P (Q _t = 0 | Q _t -1 = 1). The emission density in each state is b ₀ (O _t ) = P (O _t | Q _t = 0) = IQ _t = 0) and b ₁ (O _t ) = P (O _t | μ, s, Q _t = 1) = Parameterized as NB (O _t | μ, s), where I (•) is an indicator function, NB (• | μ, s) is a negative binomial distribution density function of mean value μ and size s It is. The likelihood is expressed by the following equation.

Since the HMM maximum likelihood estimate does not have a closed form, an estimation maximization (EM) scheme may be used. In the set of the T discrete time count _{x = [x 1, ···,} x T] ', _{where, t = 1, ···, x} t ∈ {0,1 relative to T, · · • Observe. In this model, the count comes from one of the two distributions and is considered Z = [Z ₁ ,..., Z _T ] ′, ie a two-state Markov process. When p ₀₁ = Pr (Z _n = 1 | Z _n-1 = 0) and p ₁₀ = Pr (Z _n = 0 | Z _n-1 = 1), the latent transition matrix is expressed as follows.

The initial state distribution is expressed as π = Pr (Z ₁ = 1).

When Z _t = 0, the peripheral distribution of the count at time t is degenerated to 0. That is,

Here, I (•) is an instruction function. When Z _t = 1, the count is estimated to be distributed according to the following negative binomial distribution with mean and size parameters given by φ = [μ, s] ′.

The useful thing is that the joint probability distributions of both latent and observed variables are separated into separate parameter types and can be decomposed in a convenient way for calculation.

Here, θ = (π, A, φ) ′. Finally, the likelihood is

  Pooling and estimation

In practice, many edges in the network can be very sparse and therefore there are not many opportunities to observe high state counts. To make the estimation, the edges may be pooled according to μ _e , ie, the average number of non-zero counts per day averaged over a predetermined number of days. In some embodiments, two types of edges may be defined.

The edge type I (μ _e ≧ 1) consists of these edges for which there is sufficient data to estimate individual models. In some model runs, this number was about 45% of the edges for a net, but the percentage can vary. Maximum likelihood estimation values (MLE) may be used as parameters of these sides.

の集合を，

が辺種別ＩＩにおける所定数の最大のμ_ｅ値の中にあるように抽出される。いくつかの実施例においては，この数は例えば１，０００であってよい。これらの辺それぞれのパラメータが推定され，これらのパラメータベクトルの平均が取られる。辺種別ＩＩの共通辺モデルはこの平均ベクトルによってパラメータ化される。例えば最大の１，０００個のμ_ｅ値を取ることは，モデルが低カウント辺に過度に敏感にならないことを確実にする助けとなる。 Edge type II (μ _e <1) includes the remaining edges (approximately 55% of the edges in a network) that share a common parameter set to “borrow” information across very sparse data. Next, edge

A set of

Are extracted to be within a predetermined number of maximum μ _e values in the edge type II. In some embodiments, this number may be 1,000, for example. The parameters for each of these sides are estimated and the parameter vectors are averaged. The side type II common side model is parameterized by this average vector. For example taking the 1,000 mu _e value of the maximum, the model helps to ensure that not overly sensitive to low count sides.

  Alternative hypothesis

In order to obtain a GLRT, it is generally necessary to limit the entire parameter space in order to consider alternatives that reflect the type of hacker behavior to be detected. These alternatives may be intentionally kept generic to capture various behaviors. It is assumed that the hacker's behavior increases the parameter MLE that manages the model. This is because hackers must act in addition to the normal behavior on the edge. In particular, referring to OMM, the hacker's behavior is the probability of transition from an inactive state to an active state.

各場合において，帰無仮説はパラメータ又は二つのパラメータの対が過去のＭＬＥ値に等しい。 More options are available for HMM configuration. In some examples, three combinations of parameter changes were tested.

In each case, the null hypothesis is that the parameter or pair of two parameters is equal to the past MLE value.

  p-value calculation and threshold determination

Find the p-value of the observed GLRT statistic λ _γ . Under mild regular conditions, the GLRT is asymptotically a χ ² distribution with degrees of freedom equal to the number of free parameters in Θ. However, this does not apply when the true parameter is not at the Θ boundary. When the true parameter is at the boundary, a zero point mass in the distribution of λ _γ is obtained.

  P-value of star

の分布は，νの周りの星によって形成される。Ａ_νがλ_νの分布を有するとする。すると，Ａ_νはＡ_ν＝Ｂ_νＸ_νでモデル化することができ，ここでＢ_ν〜ベルヌーイ分布（ｐ_ν），Ｘ_ν〜ガンマ分布（τ_νη_ν）である。すべてのλ_ｅの合計はゼロであるから，Ａ_νはゼロの点質量を有する。これはＢ_νによって捕捉できる。Ａ_νの分布の正部分をモデル化するためには，ガンマ分布が魅力的である。何となれば，ガンマ分布はτ_ν＝ν／２，η_ν＝２のとき，自由度νのχ^２分布に等しいからである。λ_νの漸近分布は，独立なゼロ過剰（ｚｅｒｏ ｉｎｆｌａｔｅｄ）χ^２分布の確率変数の合計である。したがって，ゼロ過剰ガンマ分布はλ_νの分布をかなり良くモデル化できることが期待される。Ｎ個の独立な，同一に分布した標本の対数尤度は次の式で表される。

A star is generally a simple form of two shapes. The number of stars in the graph is the number of nodes, so for each node ν GLRT

The distribution of is formed by stars around ν. Let A _v have a distribution of λ _v . Then, A _v can be modeled by A _v = B _v X _v , where B _v -Bernoulli distribution (p _v ) and X _v -gamma distribution (τ _v η _v ). Since the sum of all λ _e is zero, A _v has a zero point mass. This can be captured by B _[nu. The gamma distribution is attractive for modeling the positive part of the distribution of A _v . If What becomes, gamma distribution τ _ν = _ν / 2, when eta _[nu = 2, is equal to the chi ² distribution with degrees of freedom [nu. The asymptotic distribution of λ _v is the sum of the random variables of independent zero-inflated χ ² distributions. Therefore, the zero excess gamma distribution is expected to be fairly well modeled distribution of lambda _[nu. The log likelihood of N independent, equally distributed samples is expressed by the following equation.

と表わすことができる。観測されたλ_νに対して，上部ｐ値は

によって計算され，ここでＦ_Γは，ガンマ累積分布関数（ＣＤＦ）である。 Direct numerical optimization may be used to estimate τ _ν and η _ν . For example, in some embodiments tested, this can be done over 10 days with a 30 minute window that does not overlap for each star centered at node ν. MLE

Can be expressed as For the observed λ _ν , the upper p-value is

It is calculated by, where F _gamma is the gamma cumulative distribution function (CDF).

  Road p-value

Unlike stars, many roads, to model lambda _gamma for each road in many systems, it is prohibitively expensive computation time and in terms of memory both requirements. Instead, a model may be constructed for each individual edge, and the edge model may be combined when calculating the likelihood of the road. Assume that for each edge e, Λ _e has an empty distribution of GLRT scores for e and λ _e . Again, the zero excess gamma distribution may be used for edge modeling. However, here, it is limited to the base for each side. Again, it is emphasized that the sky distribution of λ _e is motivated by the asymptotic zero excess χ ² distribution (having 50% mass at zero when one parameter is tested).

は，非重複の３０分の窓からλ_ｅｓを用いて推定してもよい。尤度は上述の星に関して説明したものと類似するが，各辺は独自のτ_ｅ及び共有尺度ηを有するため，すべての辺についてηを推定し，次に決定されたηについて個別のτ_ｅを推定するステップを交互に行う反復方式が開発された。反復の各ステップが尤度を増加させるため，手続全体が尤度を増加させる。 Assume Λ _e = B _e X _e . Here, B _e to Bernoulli distribution (p _e ), X _e to gamma distribution (τ _e , η), τ _e is a side specific shape, and η is a shared scale. That is, there are two free parameters p _e and τ _e for each side, and a common scale parameter η for all sides. MLE pe, τ _e and

May be estimated using λ _es from a non-overlapping 30-minute window. Likelihood is similar to that described for the stars above, but each side has its own τ _e and a shared measure η, so η is estimated for all sides and then the individual τ _e for the determined η An iterative scheme has been developed that alternates the steps of estimating. Because each iteration step increases the likelihood, the entire procedure increases the likelihood.

を仮定する。３縦続道超過（ｅｘｃｅｅｄａｎｃｅ）のｐ値は，次の式で与えられる混合超過である。

Once the edge model is determined, the p-value of the road can be calculated.

Assuming The p-value for 3 cascade excess is the mixture excess given by:

  Here, it is used that the sum of the gamma distribution random variables having the common scale parameter is also a gamma distribution.

  Threshold determination

  One way to determine the threshold is to simulate a count per minute of a period for each edge where no anomaly has occurred. For example, this may be performed for 10 days. Slide a 30-minute window that is shifted by 10 minutes over 10 days and calculate the minimum p-value for each window, as done during the full exploration procedure. To achieve a certain false discovery rate, such as one alarm per day, the tenth smallest p-value in the p-value result list may be taken, for example. Because the windows overlap, the same path as a single p-value is chosen to be less conservative by counting the smallest p-value obtained from successive windows, which is related to non-continuous windows. The second smallest p value may be found. In this way, alarms over several overlapping windows only give one alarm for threshold determination, which is generally the way an analyst sees a series of consecutive alarms.

  Some embodiments of the present invention are directed to detecting abnormal behavior using data defined over time on the edges of the underlying graph structure. Because attacks can be very local, some embodiments of the present invention apply windows locally in time x graph product space. The past model used for the data in this local window behaves as expected according to the past behavior. The k cascade is particularly effective for detecting passage through the network.

  FIG. 4 illustrates a method for detecting abnormal behavior on the network according to an embodiment of the present invention. In some embodiments, the method of FIG. 4 may be performed at least in part by, for example, computing system 200 of FIG. In order to determine the normal activity level, the network's past parameters are determined in step 410. The past parameter may include, for example, the number of connections on the side in various periods. In some embodiments, the past parameters estimate two edge types, a first type whose element edges have sufficient data to estimate an individual model, and an individual model of element edges. Therefore, it may be set in consideration of the second type for which there is not enough data. In one embodiment, the second type of edge is parameterized by an average vector to ensure that the model is not overly sensitive to low count edges.

  A plurality of paths in the network are listed as part of a graph representing the network in step 420. Each computing system may be a node in the graph, and the series of connections between the two computing systems may be directed edges in the graph. In order to detect anomalous behavior, a statistical model is applied to the graph on a sliding window basis in step 430. In some embodiments, an observed Markov model (OMM) is used. In another embodiment, a hidden Markov model (HMM) is used. In some embodiments, the OMM or HMM may be a two-state model (eg, “on” indicates the presence of a user and “off” indicates the absence of a user). However, some example methods do not necessarily depend on model selection. In other words, various statistical models may be used in various embodiments. In step 440, data belonging to the detected abnormal behavior is displayed to the user.

  Unified Host Aggregation Agent (UHCA)

  A host agent that protects the host by running security applications such as anti-virus software and firewalls may be used. The host agent generally uses a unified host aggregation agent (UHCA) that uploads data from the host to the server for anomaly detection. However, some embodiments of the present invention use UHCA to provide data including a network connection from the host to another machine, the process associated with the connection, the executable file associated with the process, etc. .

  For convenience, instead of obtaining data directly from the host, data is collected from the secondary server source. Some embodiments take this observation information into account for generating new events. The server may have a one-way communication with the host, whereby the server receives messages from multiple host agents. The lack of bidirectional communication in some embodiments increases efficiency.

  In many embodiments, complete data collection is not required for effective operation, so some embodiments use the User Datagram Protocol (UDP). These embodiments may capture as much information as possible, but if some are missed, anomaly detection generally still works effectively. This “lossy” collection scheme allows communication to be unidirectional because packet delivery is not guaranteed by the method implemented by TCP. This also allows a larger amount of data than the TCP based scheme.

  In some embodiments, the UDP stream is encrypted, thereby protecting the network data. Processing is an important issue, and data management is difficult in large-scale systems. Nonetheless, some embodiments can provide strong encryption and ensure privacy. Some embodiments help provide the additional processing necessary for security due to the lossy nature.

  Some embodiments can detect packet loss using packet sequence numbers while using UDP. Packets can be tracked on a machine-by-machine basis using media connection control (MAC) addresses and sequence numbers. This information may also be used independently of anomaly detection. For example, this information can be used for forensics to monitor data on a given host. For example, a checksum of an executable file may be placed in a list to determine whether a particular host has malware.

  The weakness of most data aggregation infrastructure is the limited visibility between internal nodes in the network. The endpoint visibility should be enhanced to improve attacker detection. Comprehensive endpoint visibility generally requires deploying software at the network host level. Not all network switches can aggregate network flow data at the lower network level. Similarly, DNS data visibility is usually affected by the cache and requires an enemy to use a host name rather than an IP address when setting up a connection to the target host.

  In order to improve endpoint visibility, some embodiments run on various operating systems such as Windows®, Mac OS®, Linux®, Android®, etc. A cross-platform software agent (hereinafter referred to as “agent”) is used. UHCA is written in Python in some embodiments, making it easy to adapt and extend to various target operating systems. However, any desired programming language or assembly code may be used. The main purpose of agents is data aggregation, and agents can be designed to have minimal impact on the host operating system. Tests have shown that some examples of agents use only 2-8% of a single CPU core. The agent may collect system status and events and encode them as JavaScript Object Notation (JSON) records called JSON encoding logs (JEL). In some embodiments, every JEL includes a generation time stamp, an agent ID (eg, MAC address), an agent IP address, an operating system type, and a record type (eg, network connection status).

  The JEL may be transferred by encrypted UDP packets to one or more central aggregation servers at relatively frequent intervals (eg, 1-5 minutes). In some embodiments, multiple servers may be specified in the agent configuration file, allowing the system to scale horizontally. The agent's aggregation capability includes process termination start information including a checksum of the start process image, network connection event log, correspondence between the running process and the set network connection, and the current network connection status. Good.

  Network polling status

  In order to detect abnormal paths, some embodiments obtain a list of triples (time, source IP address, destination IP address) indicating network communication between hosts. In order to extend such an embodiment to take advantage of UHCA data, it is generally desirable for agents to report unified host network communication information across all target platforms. In Linux (registered trademark), procs (in particular, / proc / tcp and / proc / udp) may be used to generate this data. In the implementation by OS X (registered trademark) and Android (registered trademark), the execution output of netstat may be parsed, but it is not an optimal method. Windows® agents may use the Python ctype Windows® IP helper module's GetExtendedTcpTable method (ctypes.windll.iphlpapi.GetExtendedTcpTable), which provides network status information similar to procfs and netstat. To do.

  In some embodiments, data is polled every second or any other desired time period. Naturally, the more polling, the more data is available for analysis and the shorter the connection types that are more likely to be captured. The disadvantage of polling every second is that short-lived (ie sub-second) connections are usually overlooked by the agent. While this can be a challenge for many detection techniques, the focus of some embodiments is to be able to detect network traversal interactively. Even automated passage usually requires a resolution of more than 1 second to maintain state at the destination node.

  To address the problem of losing sight of short-lived connections, it is advantageous to use a TCP time wait state. When the client communicates with the server over TCP, the server maintains a TCP connection state. When communication is complete, the server must generally maintain the connection information in a TIME_WAIT state for a period of time, usually 30 seconds or longer. This long time window allows the agent to capture information about sub-second network communications that would otherwise be lost. In post-processing, it can be seen from the test whether there is an entry in a time waiting state that did not have a corresponding set connection entry. Any such connection may be reported as a short lived connection.

  Some embodiments only require a triple list, but UHCA may return as much detail about the network connection as possible to the aggregation server to provide other applications. The data is post-processed in triplicate using, for example, a script for a small amount of test data, or MapReduce for a larger job. In other areas of network connection, JEL is used for source and destination ports, connection status (established, listening, time waiting, etc.), process ID associated with the connection, within a one minute time window, or any other desired It may include the number of seconds that the connection was active in the time window. Some embodiments utilize port information to better distinguish individual communications for anomaly detection, and count information is used to collect statistics such as mean and variance from the count. May be set.

  In testing, some examples incorporating UHCA showed about twice the edge detection rate of some examples without UHCA. For example, in one test with a total of 30 sides, the example without UHCA detects 14 out of 30 sides (46.7%), while the example with UHCA out of 30 sides. 27 (90%) were detected. The road consisted of 15 name sides and 15 IP sides. In this case, the embodiment without UHCA has a maximum theoretical detection rate of 50%, and the embodiment with UHCA has a maximum theoretical detection rate of 100%.

  The lower part of FIGS. 5A-5D shows four subpaths out of the five test paths generated in this experiment. For consistency, the first four sides of each road are shown, but some roads contain more sides. In all cases where an edge is omitted, this method detects the last edge indicated and then detects the remaining edges. If the method fails to detect the last edge, it continues to miss all remaining edges.

  5A to 5D, nodes (that is, network hosts) are drawn with circles, and edges (that is, network communication) are lines (named edges) having diamond-shaped short points indicating destination nodes, or arrow-shaped end points. Is drawn in any of the lines (IP sides) having The bars labeled DNS and UHCA are used to indicate the detection length of each method. The longer the bar, the longer the path detected. If there are no short bars or bars, emphasize that the failure to detect an edge in the road.

  FIG. 5A is a road diagram 500 illustrating a road generated using only name edges according to an embodiment of the present invention. The road shows the detection result of a road having 6 sides (6 cascades), and all sides were generated by host name reference. As expected, this road was successfully detected by a non-UHCA DNS road detection method (hereinafter “DNS method”). Surprisingly, the UHCA method missed the first two sides of the road, but the UHCA method picked up the subsequent road and detected the remaining four sides.

  After analyzing the data in detail, it was determined that one host involved in the road (second hop) was functioning as an institutional server and constantly creating many new connections. In some embodiments, since the new edge behavior is modeled, the software expected that this server would generate a new edge. Therefore, it was determined that the path traversal through this server had a low degree of abnormality and did not exceed the alarm threshold. This is an interesting result and justifies the use of some example models for simply judging all new edges (ie, all new edges) as abnormal. . Without such a model, all roads through this server will generate alarms and increase the false alarm rate.

  FIG. 5B is a road diagram 510 illustrating a road generated using only IP edges, according to an embodiment of the present invention. This road is a 7 cascade road all generated at the IP side. This experiment behaved exactly as expected. The UHCA method detected all sides, and the DNS method did not detect any sides. Since there is no DNS activity generated by this type of network traversal, the DNS scheme cannot detect this type of path at all.

  FIG. 5C is a diagram 520 of a path representing a path beginning with three name edges and ending with an IP edge, according to an embodiment of the present invention. This road is a 6 cascade road, the first three sides are generated by the name side and the last three sides are generated by the IP side. The DNS method was able to detect the first three sides as expected, but could not detect the IP side. The UHCA method was able to detect the entire road as expected.

  This unknown variant was also tested, but the results are not shown for the sake of brevity. In this five cascade road, the road starts with two IP edges and continues with three name edges. The UHCA method detected the entire road, but the DNS method detected only the road after switching to the name side.

  FIG. 5D is a road diagram 530 showing a path with alternating name sides and IP sides according to an embodiment of the present invention. This road is a six-way cascade, and the sides alternate between the name side and the IP side. It was predicted that this path could not be detected by the DNS system and could be detected entirely by UHCA. Actually, the UHCA method could detect the entire road, and the DNS method could detect the first side of the road. Analysis of the data revealed that this area is part of three unrelated cascades discovered by the DNS method. This side was accidentally related to the side chosen for this test path.

  These initial results are encouraging in that we were able to verify the hypothesis that the UHCA approach would improve attacker detection. This result also verified that the DNS method has a performance close to the expected detection rate.

  Data collection based on anomalies

  Not all available data on each host can be collected at any time due to the huge amount of data, especially in large networks. Instead, it may be collected in proportion to the abnormality level on the host determined by the abnormality detection method described here. When the level of anomaly is low, basic network connectivity (see, eg, DNS) and process information may be collected. At the medium level, more process accounting and services may be collected along with more complete network behavior data (eg, NetFlow data). At a high level, complete host behavior information, including process reports, services, public files, etc., may be collected along with complete packet capture for network visibility. In some cases this may be done only in a local area of the network, driven by anomaly detection. This provides higher quality detection capabilities for these hosts, but at the same time provides high quality forensic information to analysts who respond abnormally.

  In some embodiments, the anomaly level may be determined by the road passing method described herein. The passage through the nodes may be identified as just a few anomalies according to the current data collected at each node. However, when nodes in this way are behaving with medium level anomalies, more comprehensive data may be collected at each host in the way. To provide better fidelity, this data may be reflected in the algorithm so that the algorithm can make higher quality decisions about this path (eg, lower false positive rate and higher true Positive rate). As this new, higher fidelity data continues to be identified as anomalies, full packet capture and process reporting may be enabled at the host, thereby enabling high quality anomaly detection for use by security response personnel. Data and forensic data can be provided.

  FIG. 6 is a flowchart 600 of a method of using UHCA to collect data belonging to an anomaly according to an embodiment of the present invention. In some embodiments, the method of FIG. 6 may be performed at least in part by, for example, computing system 200 of FIG. The method begins at step 610 by periodically polling a plurality of host agents for data. In step 620, data is collected from a plurality of host agents belonging to network communications transmitted and received by corresponding hosts in the network. In some embodiments, the collected data may be sent in one-way communication from the host agent via UDP. The data collected for each host may include a checksum of the start process image, a network connection event log, a correspondence between the execution process and the set network connection, and process stop start information including the current network connection state. The collected data may include a list of triples indicating network communication between hosts, and each triple may include a time at which communication occurred, a source IP address, and a destination IP address.

  In some embodiments, data may be collected in proportion to the anomaly level of the corresponding host. For low-level anomalies, basic network connectivity and process information may be aggregated, as may be derived from the basic stochastic scheme. At mid-level anomalies, more process reports and services, and more complete network behavior data may be collected. For high-level anomalies, complete host behavior information may be collected and complete packet capture may be performed.

  In step 630, the collected data is analyzed to detect abnormal behavior within a predetermined period. In step 640, a TCP standby state is used to detect a short-term connection, and in step 650, a count weight is set using the count information. If an abnormal behavior is detected, an indication is provided in step 660 that the abnormal behavior has occurred during a predetermined period.

  The method steps performed in FIGS. 4 and 6 are computer program products that encode instructions for a non-linear adaptive processor to perform at least the method described in FIGS. 4 and 6, according to an embodiment of the present invention. It may be executed by. The computer program product may be implemented on a computer readable medium. The computer readable medium may be, but is not limited to, a hard disk drive, a flash device, random access memory, tape, or any other such medium used for storing data. The computer program product may include encoded instructions that control the non-linear adaptive processor to implement the methods described in FIGS. 4 and 6 and may also be stored on a computer readable medium.

  A computer program product can be implemented in hardware, software or hybrid implementation. A computer program product may consist of modules that operate to communicate with each other and are designed to pass information or instructions to a display device. The computer program product may be configured to operate on a general purpose computer or an application specific integrated circuit (ASIC).

  It will be readily appreciated that the components of the various embodiments of the present invention that are schematically described and illustrated in the drawings of the present application may be arranged and designed in a wide variety of other configurations. Accordingly, the detailed description of the embodiments of the present invention as illustrated in the accompanying drawings is not intended to limit the scope of the claimed invention, but is merely representative of selected embodiments of the present invention.

  The features, structures, and characteristics of the invention described throughout this specification may be combined in any suitable manner in one or more embodiments. For example, throughout this specification, references to “an embodiment,” “in some embodiments,” or similar expressions refer to specific features, structures, or characteristics described in connection with the embodiments at least. It is meant to be included in one embodiment. Thus, throughout this specification, the appearance of phrases in “in one embodiment,” “in some embodiments,” “in another embodiment,” or similar expressions are not necessarily all referring to embodiments in the same group. Rather, in one or more embodiments, the described features, structures, or characteristics may be combined in any suitable manner.

  It should be noted that throughout this specification, references to features, advantages, or similar expressions do not imply that all of the features and advantages that can be realized with the present invention are in any one embodiment of the present invention. . Conversely, expressions referring to features and advantages are to be understood as meaning that the specific features, advantages, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention. Accordingly, throughout this specification, features and advantages and descriptions of similar expressions do not necessarily refer to the same embodiment.

  Further, in one or more embodiments, the described features, advantages, and characteristics of the invention may be combined in any suitable manner. Those skilled in the art will appreciate that the present invention may be practiced without one or more of the specific features or advantages of a particular embodiment. Other examples, additional features and advantages that may not be present in all embodiments of the invention may be recognized in certain embodiments.

  One of ordinary skill in the art will readily appreciate that the above-described invention may be implemented with a different order of steps and / or differently configured elements than those disclosed. Thus, although the invention has been described with reference to a preferred embodiment, it will be apparent to those skilled in the art that certain modifications, variations, and alternative constructions remain within the spirit and scope of the invention. . Therefore, it is desirable to refer to the claims of this application to determine the boundaries and scope of the present invention.

Claims (22)

A computing system determining past parameters of a basic statistical model for each edge on the network to determine normal activity levels;
The computing system enumerating a plurality of k cascades in the network as part of a graph representing the network, each computing system in the network serving as a node in the graph, A series of connections between computing systems consists of directed edges in the network, steps,
Said computing system applying an observed Markov model (OMM) or a hidden Markov model (HMM) on a time sliding window basis to said plurality of k cascades in said graph;
The computing system detecting abnormal behavior based on the applied OMM or HMM;
A method implemented on a computer having   The computer-implemented method according to claim 1, further comprising the step of displaying data belonging to the detected abnormal behavior to a user. The OMM or the HMM has a two-state model;
"On" status indicates the presence of the user,
The computer-implemented method of claim 1, wherein an “off” state indicates the absence of the user.   The computer-implemented method of claim 1, wherein the computing system determines the past parameters taking into account at least two edge types. The first edge type has element edges with enough data to estimate the individual model,
5. The computer-implemented method according to claim 4, wherein the second edge type is an element edge and has an element edge for which there is not enough data to estimate an individual model of the element edge.   6. The computer implemented method of claim 5, wherein the second edge type is parameterized by an average vector to ensure that the model is not overly sensitive to low count edges. The computing system collecting data belonging to anomalies from a plurality of host agents belonging to network communications transmitted and received by corresponding hosts in the network;
Analyzing the collected data to detect anomalous behavior within a predetermined period of time;
The computer-implemented method of claim 1, further comprising: At least one processor;
A memory for storing computer program instructions, said instructions being executed by said at least one processor when executed by said at least one processor;
Determine the past parameters of the basic statistical model of each side of the net to determine the normal activity level;
List a plurality of k cascades in the network as part of a graph representing the network, each computing system in the network acts as a node in the graph, and a series of connections between two computing systems is: Make a directed edge in the network,
Applying a statistical model based on a sliding window of time to the plurality of k cascades in the graph;
Causing anomalous behavior to be detected based on the applied statistical model,
Device configured.   9. The apparatus of claim 8, wherein the computer program instructions are further configured to cause the at least one processor to display data belonging to the detected abnormal behavior to a user.   9. The apparatus of claim 8, wherein the statistical model is an observed Markov model (OMM) or a hidden Markov model (HMM). The OMM or the HMM has a two-state model;
"On" status indicates the presence of the user,
The apparatus of claim 10, wherein an “off” state indicates the absence of the user.   9. The apparatus of claim 8, wherein the computer program instructions are further configured to cause the at least one processor to determine the past parameters taking into account at least two edge types. The first edge type has element edges with enough data to estimate the individual model,
The apparatus according to claim 12, wherein the second edge type is an element edge and has an element edge for which there is not enough data to estimate an individual model of the element edge.   14. The apparatus of claim 13, wherein the second edge type is parameterized by an average vector to ensure that the model is not overly sensitive to low count edges. The computer program instructions are sent to the at least one processor.
Collecting data belonging to anomalies from a plurality of host agents belonging to network communications sent and received by corresponding hosts in the network;
Analyze the collected data to detect anomalies within a given period of time,
9. The apparatus of claim 8, further configured as follows. A memory for storing computer program instructions configured to detect abnormal behavior in the network;
A plurality of processing cores configured to execute the stored computer program instructions, the plurality of processing cores comprising:
Determine the past parameters of the basic statistical model of each side of the net to determine the normal activity level;
List a plurality of k cascades in the network as part of a graph representing the network, each computing system in the network acts as a node in the graph, and a series of connections between two computing systems is: Make a directed edge in the network,
Applying a statistical model based on a sliding window of time to the plurality of k cascades in the graph;
Detecting anomalous behavior based on the applied statistical model,
System configured.   The system of claim 16, wherein the plurality of processing cores are further configured to display data belonging to the detected abnormal behavior to a user.   The system of claim 16, wherein the statistical model is an observed Markov model (OMM) or a hidden Markov model (HMM). The OMM or the HMM has a two-state model;
"On" status indicates the presence of the user,
The system of claim 18, wherein an “off” state indicates the absence of the user. The plurality of processing cores are further configured to determine the past parameters taking into account at least two edge types;
The first edge type has element edges with enough data to estimate the individual model,
The system according to claim 16, wherein the second side type has an element side that is an element side and does not have sufficient data to estimate an individual model of the element side.   21. The system of claim 20, wherein the second edge type is parameterized by an average vector to ensure that the model is not overly sensitive to low count edges. The plurality of processing cores are:
Collecting data belonging to anomalies from a plurality of host agents belonging to network communications sent and received by corresponding hosts in the network;
The system of claim 16, further configured to analyze the collected data to detect anomalous behavior within a predetermined time period.

Images